Novell Home

CVE-2011-3848

Common Vulnerabilities and Exposures

[Previous] [Index] [Next]

Upstream information

CVE-2011-3848 at MITRE

Description

Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25.

NVD CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Novell/SUSE information

Novell Bugzilla entries: 721139, 726372

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE 11.3
  • puppet >= 0.25.4-4.3.1
  • puppet-server >= 0.25.4-4.3.1
openSUSE 11.4
  • puppet >= 2.6.4-4.7.1
  • puppet-server >= 2.6.4-4.7.1
SUSE Linux Enterprise Desktop 11 SP1
  • puppet >= 2.6.12-0.6.1
sled11-sp1.x86-64
sles11-sp1.x86-64
sles11-sp1.ia64
sles11-sp1.ppc
sles11-sp1-vmware.x86
sles11-sp1.x86
sles11-sp1-vmware.x86-64
sles11-sp1.s390x
SAT Patch Nr: 5421
SUSE Linux Enterprise Server 11 SP1
SUSE Linux Enterprise Server 11 SP1 for VMware
  • puppet >= 2.6.12-0.6.1
  • puppet-server >= 2.6.12-0.6.1
sled11-sp1.x86-64
sles11-sp1.x86-64
sles11-sp1.ia64
sles11-sp1.ppc
sles11-sp1-vmware.x86
sles11-sp1.x86
sles11-sp1-vmware.x86-64
sles11-sp1.s390x
SAT Patch Nr: 5421
openSUSE 11.3
  • puppet >= 0.25.4-4.7.1
  • puppet-server >= 0.25.4-4.7.1
openSUSE 11.4
  • puppet >= 2.6.4-4.11.1
  • puppet-server >= 2.6.4-4.11.1

© 2014 Novell